[Bug 3190] New: Inconsistent handling of private keys without accompanying public keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jul 3 00:48:42 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3190
Bug ID: 3190
Summary: Inconsistent handling of private keys without
accompanying public keys
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
It comes up from time to time that somebody uses private key without
public key in separate file. OpenSSH is trying to be helpful to read
the separate public key file initially, to prevent decrypting private
keys to early, but currently it is very inconsistent. See the following
steps:
1) generate private key (unencrypted, in openssh format)
$ ssh-keygen -f /tmp/rsa -N ''
2) remove public part
$ rm /tmp/rsa.pub
3) ssh-keygen handles this use case well:
$ ssh-keygen -lf /tmp/rsa
4) We can add the key simply to ssh-agent:
$ ssh-add /tmp/rsa0
5) Whoops, we can not remove it afterward (this error message is very
confusing since it refers to /tmp/rsa.pub and /tmp/rsa is in place):
$ ssh-add -d /tmp/rsa
Bad key file /tmp/rsa: No such file or directory
6) Using the key from ssh gives bogus warnings, even though the key is
used afteward without any issues:
$ ssh -v -i /tmp/rsa localhost
[...]
debug1: identity file /tmp/rsa type -1
debug1: identity file /tmp/rsa-cert type -1
[...]
debug1: Trying private key: /tmp/rsa
debug1: Authentication succeeded (publickey).
I think the requirement of the separate public key made sense in the
encrypted legacy file formats, but the new OpenSSH file format stores
public key already inside of the private key container and if the key
is not encrypted at all, sidecar file should not be needed either.
I believe we should drop the requirement for separate public key file
at least in these cases and make the above more consistent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list